Skip to main content
Version: 3.9.x.x RR (Android, iOS, Flutter)/ 3.10.x.x RR (React Native)

Secure storage

The Secure Storage component ensures that sensitive data is managed securely on the device. The most important data to protect is the private key, which is generated during registration and accessed in subsequent FIDO operations. In this regard, secure storage includes the following:

The private key used for FIDO UAF is completely managed by the hardware-backed Keystore on Android, and by the Secure Enclave on iOS. This storage option is possible only if the device is configured to use a lock screen.

Key material used for push notification encryption and signing. Other additional sensitive data used in the FIDO UAF context is stored securely in Shared Preferences on Android, and in the Keychain on iOS.

The hashed application PIN, used by the Application PIN Authenticator, is also stored securely in the Shared Preferences and Keychain. The same applies to the password authenticator.

To provide additional protection of the private key, the device offers the option of binding the key with user authentication. In this configuration, the user must always authenticate if access to the private key is needed. To authenticate, the user must provide one of the system-defined credentials such as the ones listed for the device lock screen.

info

The SDK verifies and enforces the presence of secure storage.

  • On iOS, this is enforced by requiring iOS 11, which only runs on iPhones with the Secure Enclave present.
  • On Android, SDK initialization fails at runtime, if no secure storage is available.

Some devices miss the required secure storage. For details, see the Device Support section of the Access App documentation.

Android StrongBox

With Android version 9 (API Level 28) or higher, the SDK will attempt to store the key material in StrongBox.

StrongBox storage of key material cannot be guaranteed as it does not only rely on the Android version but on other factors as well such as:

  • Vendor hardware support for StrongBox.
  • StrongBox support of the used key algorithms.
info

StrongBox explicitly refers to devices such as embedded Secure Elements (eSE) or on-SoC secure processing units (iSE). Refer to the official Android documentation for more details.

tip

Due to the rather ambiguous wording, we provide a code snippet allowing you to check whether the key material is actually stored in StrongBox.

Last updated on